Roukmoute/Classeo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
Classeo/backend/config/packages/security.yaml
Mathias STRASSER be1b0b60a6 feat: Permettre la génération et l'envoi de codes d'invitation aux parents 
Les administrateurs ont besoin d'un moyen simple pour inviter les parents
à rejoindre la plateforme. Cette fonctionnalité permet de générer des codes
d'invitation uniques (8 caractères alphanumériques) avec une validité de
48h, de les envoyer par email, et de les activer via une page publique
dédiée qui crée automatiquement le compte parent.

L'interface d'administration offre l'envoi unitaire et en masse, le renvoi,
le filtrage par statut, ainsi que la visualisation de l'état de chaque
invitation (en attente, activée, expirée).
2026-02-28 16:37:10 +01:00

93 lines
3.9 KiB
YAML
Raw Permalink Blame History

security:
# Role hierarchy — Direction inherits read permissions on whole school (AC3, FR5)
role_hierarchy:
ROLE_SUPER_ADMIN: [ROLE_ADMIN]
ROLE_ADMIN: [ROLE_PROF, ROLE_VIE_SCOLAIRE, ROLE_SECRETARIAT]
ROLE_PROF: [ROLE_USER]
ROLE_VIE_SCOLAIRE: [ROLE_USER]
ROLE_SECRETARIAT: [ROLE_USER]
ROLE_PARENT: [ROLE_USER]
ROLE_ELEVE: [ROLE_USER]
# https://symfony.com/doc/current/security.html#registering-the-user-hashing-passwords
password_hashers:
Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'auto'
# Named hasher for domain services (decoupled from User entity)
common:
algorithm: auto
# https://symfony.com/doc/current/security.html#loading-the-user-the-user-provider
providers:
# User provider for API authentication (Story 1.4)
app_user_provider:
id: App\Administration\Infrastructure\Security\DatabaseUserProvider
# Super Admin authentication — master database, not per-tenant (Story 2.10)
super_admin_provider:
id: App\SuperAdmin\Infrastructure\Security\SuperAdminUserProvider
# Chain provider: tries super admin first, then tenant user
all_users_provider:
chain:
providers: ['super_admin_provider', 'app_user_provider']
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
# Monitoring endpoints - no authentication, restricted by IP in production
monitoring:
pattern: ^/(health|metrics)$
stateless: true
security: false
api_login:
pattern: ^/api/login$
stateless: true
json_login:
check_path: /api/login
username_path: email
password_path: password
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: App\Administration\Infrastructure\Security\LoginFailureHandler
provider: all_users_provider
super_admin_api:
pattern: ^/api/super-admin
stateless: true
jwt: ~
provider: super_admin_provider
api_public:
pattern: ^/api/(activation-tokens|activate|token/(refresh|logout)|password/(forgot|reset)|parent-invitations/activate|docs)(/|$)
stateless: true
security: false
api:
pattern: ^/api
stateless: true
jwt: ~
provider: all_users_provider
main:
lazy: true
provider: app_user_provider
# Easy way to control access for large sections of your site
# Note: Only the *first* access control that matches will be used
access_control:
- { path: ^/api/docs, roles: PUBLIC_ACCESS }
- { path: ^/api/super-admin, roles: ROLE_SUPER_ADMIN }
- { path: ^/api/login, roles: PUBLIC_ACCESS }
- { path: ^/api/activation-tokens, roles: PUBLIC_ACCESS }
- { path: ^/api/activate, roles: PUBLIC_ACCESS }
- { path: ^/api/token/refresh, roles: PUBLIC_ACCESS }
- { path: ^/api/token/logout, roles: PUBLIC_ACCESS }
- { path: ^/api/password/forgot, roles: PUBLIC_ACCESS }
- { path: ^/api/password/reset, roles: PUBLIC_ACCESS }
- { path: ^/api/parent-invitations/activate, roles: PUBLIC_ACCESS }
- { path: ^/api/import, roles: ROLE_ADMIN }
- { path: ^/api, roles: IS_AUTHENTICATED_FULLY }
when@test:
security:
password_hashers:
Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface:
algorithm: auto
cost: 4 # Lowest possible value for bcrypt
time_cost: 3 # Lowest possible value for argon
memory_cost: 10 # Lowest possible value for argon
Reference in New Issue View Git Blame Copy Permalink